(function () {
"use strict";
-
- var recoverEmailText = "Follow this secure link to reset your password: " +
- "https://%@/%@/recover/reset/%@/%@";
- var systemErrorMessage = "A system error occurred. I'm very sorry about this, but I can't give " +
- "you any more details because I'm very cautious about security and this is a sensitive topic.";
-
/**
@name Auth
@class Auth
*/
var passport = require('passport'),
- url = require('url'),
- utils = require('../oauth2/utils');
+ url = require('url');
/**
Receives user authentication credentials and have passport do the authentication.
//passport.authenticate('local', { successReturnToOrRedirect: '/login/scope', failureRedirect: '/', failureFlash: 'Invalid username or password.' }),
passport.authenticate('local', { failureRedirect: '/?login=fail' }),
function (req, res, next) {
-
+ var pathName = "/app";
if (req && req.session && !req.session.oauth2 && req.session.passport && req.session.passport.user && req.session.passport.user.organization) {
- res.redirect("/" + req.session.passport.user.organization + '/app');
+ if (req.body.extensions) {
+ pathName = pathName + "?extensions=" + req.body.extensions;
+ }
+ if (req.body.hash && req.body.hash.charAt(0) === "#") {
+ pathName = pathName + req.body.hash;
+ }
+ res.redirect("/" + req.session.passport.user.organization + pathName);
//next();
} else {
exports.scopeForm(req, res, next);
res.render('login', { message: message, databases: X.options.datasource.databases });
};
- exports.forgotPasswordForm = function (req, res) {
- res.render('forgot_password', { message: [], databases: X.options.datasource.databases });
- };
-
- exports.recoverPassword = function (req, res) {
- var userCollection = new SYS.UserCollection(),
- email = req.body.email,
- database = req.body.database,
- errorMessage = "Cannot find email address",
- successMessage = "An email has been sent with password recovery instructions";
-
- if (!database || X.options.datasource.databases.indexOf(database) < 0) {
- // don't give away that this database exists (or not) to prying eyes
- res.render('forgot_password', { message: [errorMessage], databases: X.options.datasource.databases });
- return;
- }
-
- userCollection.fetch({
- query: {
- parameters: [{
- attribute: "email",
- value: email
- }]
- },
- database: database,
- username: X.options.databaseServer.user,
- success: function (collection, results, options) {
- var recoverModel,
- setRecovery,
- username;
-
- if (results.length === 0) {
- res.render('forgot_password', { message: [errorMessage], databases: X.options.datasource.databases });
- return;
- } else if (results.length > 1) {
- // quite a quandary
- // errorMessage = "Wasn't expecting to see multiple users with this email address";
- res.render('forgot_password', { message: [systemErrorMessage], databases: X.options.datasource.databases });
- return;
- }
- username = results[0].username;
- setRecovery = function () {
- //
- // We've initialized our recovery model. Now set and save it.
- //
- var uuid = utils.generateUUID(),
- id = recoverModel.get("id"),
- uuidHash = X.bcrypt.hashSync(uuid, 12),
- now = new Date(),
- tomorrow = new Date(now.getTime() + 1000 * 60 * 60 * 24),
- attributes = {
- recoverUsername: username,
- hashedToken: uuidHash,
- accessed: false,
- reset: false,
- createdTimestamp: now,
- expiresTimestamp: tomorrow
- },
- saveSuccess = function () {
- //
- // We've saved our recovery model. Now send out an email.
- //
- var mailContent = {
- from: "no-reply@xtuple.com",
- to: email,
- subject: "xTuple password reset instructions",
- text: recoverEmailText.f(req.headers.host, database, id, uuid)
- };
- // XXX: don't log this
- console.log(mailContent);
- X.smtpTransport.sendMail(mailContent, function (err) {
- //
- // We've sent out the email. Now return to the user
- //
- if (err) {
- res.render('forgot_password', { message: [systemErrorMessage],
- databases: X.options.datasource.databases });
- return;
- }
- res.render('forgot_password', { message: [successMessage],
- databases: X.options.datasource.databases });
- });
- },
- saveError = function () {
- res.render('forgot_password', { message: [errorMessage], databases: X.options.datasource.databases });
- };
-
- recoverModel.set(attributes);
- recoverModel.save(null, {
- database: database,
- username: X.options.databaseServer.user,
- success: saveSuccess,
- error: saveError
- });
- };
- recoverModel = new SYS.Recover();
- recoverModel.on('change:id', setRecovery);
- recoverModel.initialize(null, {isNew: true, database: database});
- },
- error: function () {
- res.render('forgot_password', { message: [errorMessage], databases: X.options.datasource.databases });
- }
- });
- };
-
- exports.verifyRecoverPassword = function (req, res) {
- var database = req.params.org,
- error = function () {
- res.render('forgot_password', { message: [systemErrorMessage], databases: X.options.datasource.databases });
- },
- recoveryModel = new SYS.Recover();
-
- console.log(req.params);
- recoveryModel.fetch({
- id: req.params.id,
- database: req.params.org,
- username: X.options.databaseServer.user,
- success: function (model, result, options) {
- var now = new Date(),
- uuidHash = X.bcrypt.hashSync(req.params.token, 12);
- console.log(model, result);
- console.log(model.get("hashedToken"), req.params.token);
- X.bcrypt.compare(req.params.token, model.get("hashedToken"), function (err, compare) {
- if (err ||
- !compare ||
- model.get("accessed") ||
- model.get("reset") ||
- now.getTime() > model.get("expiresTimestamp").getTime()) {
-
- // TODO: get the paths straight
- res.render('forgot_password', { message: [systemErrorMessage], databases: X.options.datasource.databases });
- return;
- }
- console.log(compare, result.hashedToken, req.params.token);
-
- //
- // There is a valid recovery model. Update it as accessed.
- //
- recoveryModel.set({
- // TODO: activate this
- //accessed: true,
- //accessedTimestamp: now,
- expiresTimestamp: new Date(now.getTime() + 1000 * 60 * 15), // 15 minutes
- ip: req.connection.remoteAddress
- });
- // TODO: put the token and the id in the user's session
- recoveryModel.save(null, {
- database: req.params.org,
- username: X.options.databaseServer.user,
- error: error,
- success: function (model, result, options) {
- res.render('reset_password');
- }
- });
- });
- },
- error: error
- });
- };
/**
Logs out user by removing the session and sending the user to the login screen.
*/
projects / xtuple / blobdiff